minicuper · December 17, 2015 13:07
diff --git a/gistfile1.txt b/gistfile1.txt
 #cloud-config

 coreos:
  etcd2:
    # generate a new token for each unique cluster from https://discovery.etcd.io/new
    discovery: https://discovery.etcd.io/dd1b67886bb170346de11d3f5d2d076f
    # multi-region and multi-cloud deployments need to use 169.254.171.147
    advertise-client-urls: http://10.132.48.157:2379
    initial-advertise-peer-urls: http://10.132.48.157:2380
    # listen on both the official ports and the legacy ports
    # legacy ports can be omitted if your application doesn't depend on them
    listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
    listen-peer-urls: http://10.132.48.157:2380,http://10.132.48.157:7001
    data-dir: /var/lib/etcd2
  fleet:
    public-ip: 10.132.48.157
    metadata: controlPlane=true,dataPlane=true,routerMesh=true
  update:
    reboot-strategy: "off"
  units:
    - name: etcd.service
      mask: true
    - name: etcd2.service
      command: start
    - name: fleet.service
      command: start
    - name: docker-tcp.socket
      command: start
      enable: true
      content: |
        [Unit]
        Description=Docker Socket for the API

        [Socket]
        ListenStream=2375
        Service=docker.service
        BindIPv6Only=both

        [Install]
        WantedBy=sockets.target
    - name: update-engine.service
      command: stop
      enable: false
    - name: docker.service
      drop-ins:
      - name: 10-require-flannel.conf
        content: |
          [Unit]
          Requires=flanneld.service
          After=flanneld.service
      - name: 50-insecure-registry.conf
        content: |
          [Service]
          Environment="DOCKER_OPTS=--insecure-registry 10.0.0.0/8 --insecure-registry 172.16.0.0/12 --insecure-registry 192.168.0.0/16 --insecure-registry 100.64.0.0/10"
    - name: flanneld.service
      command: start
      drop-ins:
      - name: 50-network-config.conf
        content: |
          [Service]
          ExecStartPre=-/usr/bin/etcdctl mk /coreos.com/network/config '{"Network": "10.244.0.0/16", "SubnetLen": 24, "SubnetMin": "10.244.0.0", "Backend": {"Type": "vxlan"}}'
    - name: graceful-deis-shutdown.service
      content: |
        [Unit]
        Description=Clean up
        DefaultDependencies=no
        After=fleet.service etcd2.service docker.service docker.socket deis-store-admin.service deis-store-daemon.service deis-store-volume.service deis-store-monitor.service
        Requires=fleet.service etcd2.service deis-store-admin.service deis-store-daemon.service deis-store-volume.service docker.service docker.socket deis-store-monitor.service

        [Install]
        WantedBy=shutdown.target halt.target reboot.target

        [Service]
        ExecStop=/opt/bin/graceful-shutdown.sh --really
        Type=oneshot
        TimeoutSec=1200
        RemainAfterExit=yes
    - name: install-deisctl.service
      command: start
      content: |
        [Unit]
        Description=Install deisctl utility
        ConditionPathExists=!/opt/bin/deisctl

        [Service]
        Type=oneshot
        ExecStart=/usr/bin/sh -c 'curl -sSL --retry 5 --retry-delay 2 http://deis.io/deisctl/install.sh | sh -s 1.12.2'
    - name: increase-nf_conntrack-connections.service
      command: start
      content: |
        [Unit]
        Description=Increase the number of connections in nf_conntrack. default is 65536

        [Service]
        Type=oneshot
        ExecStartPre=/usr/sbin/modprobe nf_conntrack
        ExecStart=/bin/sh -c "sysctl -w net.netfilter.nf_conntrack_max=262144"
 write_files:
  - path: /etc/deis-release
    content: |
      DEIS_RELEASE=v1.12.2
  - path: /etc/motd
    content: " \e[31m* *    \e[34m*   \e[32m*****    \e[39mddddd   eeeeeee iiiiiii   ssss\n\e[31m*   *  \e[34m* *  \e[32m*   *     \e[39md   d   e    e    i     s    s\n \e[31m* *  \e[34m***** \e[32m*****     \e[39md    d  e         i    s\n\e[32m*****  \e[31m* *    \e[34m*       \e[39md     d e         i     s\n\e[32m*   * \e[31m*   *  \e[34m* *      \e[39md     d eee       i      sss\n\e[32m*****  \e[31m* *  \e[34m*****     \e[39md     d e         i         s\n  \e[34m*   \e[32m*****  \e[31m* *      \e[39md    d  e         i          s\n \e[34m* *  \e[32m*   * \e[31m*   *     \e[39md   d   e    e    i    s    s\n\e[34m***** \e[32m*****  \e[31m* *     \e[39mddddd   eeeeeee iiiiiii  ssss\n\n\e[39mWelcome to Deis\t\t\tPowered by Core\e[38;5;45mO\e[38;5;206mS\e[39m\n"
  - path: /etc/profile.d/nse-function.sh
    permissions: '0755'
    content: |
      function nse() {
        docker exec -it $1 bash
      }
  - path: /run/deis/bin/get_image
    permissions: '0755'
    content: |
      #!/usr/bin/env bash
      # usage: get_image <component_path>
      IMAGE=`etcdctl get $1/image 2>/dev/null`

      # if no image was set in etcd, we use the default plus the release string
      if [ $? -ne 0 ]; then
        RELEASE=`etcdctl get /deis/platform/version 2>/dev/null`

        # if no release was set in etcd, use the default provisioned with the server
        if [ $? -ne 0 ]; then
          source /etc/deis-release
          RELEASE=$DEIS_RELEASE
        fi

        IMAGE=$1:$RELEASE
      fi

      # remove leading slash
      echo ${IMAGE#/}
  - path: /run/deis/bin/preseed
    permissions: '0755'
    content: |
      #!/usr/bin/env bash

      COMPONENTS=(builder controller database logger logspout publisher registry router store-daemon store-gateway store-metadata store-monitor)
      for c in "${COMPONENTS[@]}"; do
        image=`/run/deis/bin/get_image /deis/$c`
        docker history $image >/dev/null 2>&1 || docker pull $image
      done
  - path: /opt/bin/deis-debug-logs
    permissions: '0755'
    content: |
      #!/usr/bin/env bash

      echo '--- VERSIONS ---'
      source /etc/os-release
      echo $PRETTY_NAME
      source /etc/deis-release
      echo "Deis $DEIS_RELEASE"
      etcd2 -version | head -n1
      fleet -version
      printf "\n"

      echo '--- SYSTEM STATUS ---'
      journalctl -n 50 -u etcd --no-pager
      journalctl -n 50 -u fleet --no-pager
      printf "\n"

      echo '--- DEIS STATUS ---'
      deisctl list
      etcdctl ls --recursive /deis
      printf "\n"
  - path: /home/core/.toolboxrc
    owner: core
    content: |
      TOOLBOX_DOCKER_IMAGE=alpine
      TOOLBOX_DOCKER_TAG=3.1
      TOOLBOX_USER=root
  - path: /etc/environment_proxy
    owner: core
    content: |
      HTTP_PROXY=
      HTTPS_PROXY=
      ALL_PROXY=
      NO_PROXY=
      http_proxy=
      https_proxy=
      all_proxy=
      no_proxy=
  - path: /etc/systemd/coredump.conf
    content: |
      [Coredump]
      Storage=none
  - path: /opt/bin/graceful-shutdown.sh
    permissions: '0755'
    content: |
      #!/usr/bin/bash
      if [ "$1" != '--really' ]; then
        echo "command must be run as: $0 --really"
        exit 1
      fi
      # procedure requires the store-admin
      ADMIN_RUNNING=$(docker inspect --format="{{ .State.Running }}" deis-store-admin)
      if [ $? -eq 1 ] || [ "$ADMIN_RUNNING" == "false" ]; then
        echo "deis-store-admin container is required for graceful shutdown"
        exit 2
      fi
      set -e -x -o pipefail
      # determine osd id
      CURRENT_STATUS=$(docker exec deis-store-admin ceph health | awk '{print $1}')
      OSD_HOSTS=($(etcdctl ls /deis/store/hosts/| awk -F'/' '{print $5}'))
      for HOST in "${OSD_HOSTS[@]}"
      do
        PUBLIC_IP=$(fleetctl list-machines -fields="machine,ip" -full -no-legend| grep `cat /etc/machine-id` | awk '{print $2}')
        if [ "$HOST" = "$PUBLIC_IP" ] ; then
          OSD_ID=$(etcdctl get /deis/store/osds/$PUBLIC_IP)
          break
        fi
      done
      # if we own an osd and its healthy, try to gracefully remove it
      if [ ! -z "$OSD_ID" ] && [[ "$CURRENT_STATUS" == *"HEALTH_OK"* ]] && [ ${#OSD_HOSTS[@]} -gt "3" ]; then
        docker exec deis-store-admin ceph osd out $OSD_ID
        sleep 30
        TIMEWAITED=0
        until [[ $(docker exec deis-store-admin ceph health) == *"HEALTH_OK"* ]]
        do
          if [ $TIMEWAITED -gt "1200" ]
          then
            echo "ceph graceful removal timeout exceeded"
            break
          fi
          echo "waiting" && sleep 5
          TIMEWAITED=$((TIMEWAITED+5))
        done
        docker stop deis-store-daemon
        docker exec deis-store-admin ceph osd crush remove osd.$OSD_ID
        docker exec deis-store-admin ceph auth del osd.$OSD_ID
        docker exec deis-store-admin ceph osd rm $OSD_ID
        etcdctl rm /deis/store/osds/$PUBLIC_IP
        etcdctl rm /deis/store/hosts/$PUBLIC_IP && sleep 10
        # remove ceph mon
        docker stop deis-store-monitor || true
        docker exec deis-store-admin ceph mon remove `hostname -f` # fixme
        docker stop deis-store-metadata || true
      fi

      # removing the node from etcd
      NODE=$(etcdctl member list | grep `cat /etc/machine-id` | cut -d ':' -f 1)
      etcdctl member remove $NODE
  - path: /opt/bin/wupiao
    permissions: '0755'
    content: |
      #!/usr/bin/env bash
      # [w]ait [u]ntil [p]ort [i]s [a]ctually [o]pen
      [ -n "$1" ] && \
        until curl -o /dev/null -sIf http://${1}; do \
          sleep 1 && echo .;
        done;
      exit $?
  - path: /opt/bin/download-k8s-binary
    permissions: '0755'
    content: |
      #!/usr/bin/env bash
      export K8S_VERSION="v1.0.1"
      mkdir -p /opt/bin
      FILE=$1
      if [ ! -f /opt/bin/$FILE ]; then
        curl -sSL -o /opt/bin/$FILE https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/$FILE
        chmod +x /opt/bin/$FILE
      else
        # we check the version of the binary
        INSTALLED_VERSION=$(/opt/bin/$FILE --version)
        MATCH=$(echo "${INSTALLED_VERSION}" | grep -c "${K8S_VERSION}")
        if [ $MATCH -eq 0 ]; then
          # the version is different
          curl -sSL -o /opt/bin/$FILE https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/$FILE
          chmod +x /opt/bin/$FILE
        fi
      fi
  - path: /opt/bin/scheduler-policy.json
    content: |
      {
          "kind": "Policy",
          "apiVersion": "v1",
          "predicates": [{"name": "PodFitsPorts"},{"name": "PodFitsResources"},{"name": "NoDiskConflict"},{"name": "MatchNodeSelector"},{"name": "HostName"}],
          "priorities": [{"name": "LeastRequestedPriority","weight": 1},{"name": "BalancedResourceAllocation","weight": 1},{"name": "ServiceSpreadingPriority","weight": 2},{"name": "EqualPriority","weight": 1}]
      }
	#cloud-config

	coreos:
	etcd2:
	# generate a new token for each unique cluster from https://discovery.etcd.io/new
	discovery: https://discovery.etcd.io/dd1b67886bb170346de11d3f5d2d076f
	# multi-region and multi-cloud deployments need to use 169.254.171.147
	advertise-client-urls: http://10.132.48.157:2379
	initial-advertise-peer-urls: http://10.132.48.157:2380
	# listen on both the official ports and the legacy ports
	# legacy ports can be omitted if your application doesn't depend on them
	listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
	listen-peer-urls: http://10.132.48.157:2380,http://10.132.48.157:7001
	data-dir: /var/lib/etcd2
	fleet:
	public-ip: 10.132.48.157
	metadata: controlPlane=true,dataPlane=true,routerMesh=true
	update:
	reboot-strategy: "off"
	units:
	- name: etcd.service
	mask: true
	- name: etcd2.service
	command: start
	- name: fleet.service
	command: start
	- name: docker-tcp.socket
	command: start
	enable: true
	content: \|
	[Unit]
	Description=Docker Socket for the API

	[Socket]
	ListenStream=2375
	Service=docker.service
	BindIPv6Only=both

	[Install]
	WantedBy=sockets.target
	- name: update-engine.service
	command: stop
	enable: false
	- name: docker.service
	drop-ins:
	- name: 10-require-flannel.conf
	content: \|
	[Unit]
	Requires=flanneld.service
	After=flanneld.service
	- name: 50-insecure-registry.conf
	content: \|
	[Service]
	Environment="DOCKER_OPTS=--insecure-registry 10.0.0.0/8 --insecure-registry 172.16.0.0/12 --insecure-registry 192.168.0.0/16 --insecure-registry 100.64.0.0/10"
	- name: flanneld.service
	command: start
	drop-ins:
	- name: 50-network-config.conf
	content: \|
	[Service]
	ExecStartPre=-/usr/bin/etcdctl mk /coreos.com/network/config '{"Network": "10.244.0.0/16", "SubnetLen": 24, "SubnetMin": "10.244.0.0", "Backend": {"Type": "vxlan"}}'
	- name: graceful-deis-shutdown.service
	content: \|
	[Unit]
	Description=Clean up
	DefaultDependencies=no
	After=fleet.service etcd2.service docker.service docker.socket deis-store-admin.service deis-store-daemon.service deis-store-volume.service deis-store-monitor.service
	Requires=fleet.service etcd2.service deis-store-admin.service deis-store-daemon.service deis-store-volume.service docker.service docker.socket deis-store-monitor.service

	[Install]
	WantedBy=shutdown.target halt.target reboot.target

	[Service]
	ExecStop=/opt/bin/graceful-shutdown.sh --really
	Type=oneshot
	TimeoutSec=1200
	RemainAfterExit=yes
	- name: install-deisctl.service
	command: start
	content: \|
	[Unit]
	Description=Install deisctl utility
	ConditionPathExists=!/opt/bin/deisctl

	[Service]
	Type=oneshot
	ExecStart=/usr/bin/sh -c 'curl -sSL --retry 5 --retry-delay 2 http://deis.io/deisctl/install.sh \| sh -s 1.12.2'
	- name: increase-nf_conntrack-connections.service
	command: start
	content: \|
	[Unit]
	Description=Increase the number of connections in nf_conntrack. default is 65536

	[Service]
	Type=oneshot
	ExecStartPre=/usr/sbin/modprobe nf_conntrack
	ExecStart=/bin/sh -c "sysctl -w net.netfilter.nf_conntrack_max=262144"
	write_files:
	- path: /etc/deis-release
	content: \|
	DEIS_RELEASE=v1.12.2
	- path: /etc/motd
	content: " \e[31m* * \e[34m* \e[32m***** \e[39mddddd eeeeeee iiiiiii ssss\n\e[31m* * \e[34m* * \e[32m* * \e[39md d e e i s s\n \e[31m* * \e[34m*** \e[32m* \e[39md d e i s\n\e[32m*** \e[31m* * \e[34m* \e[39md d e i s\n\e[32m* * \e[31m* * \e[34m* * \e[39md d eee i sss\n\e[32m***** \e[31m* * \e[34m***** \e[39md d e i s\n \e[34m* \e[32m***** \e[31m* * \e[39md d e i s\n \e[34m* * \e[32m* * \e[31m* * \e[39md d e e i s s\n\e[34m*** \e[32m*** \e[31m* * \e[39mddddd eeeeeee iiiiiii ssss\n\n\e[39mWelcome to Deis\t\t\tPowered by Core\e[38;5;45mO\e[38;5;206mS\e[39m\n"
	- path: /etc/profile.d/nse-function.sh
	permissions: '0755'
	content: \|
	function nse() {
	docker exec -it $1 bash
	}
	- path: /run/deis/bin/get_image
	permissions: '0755'
	content: \|
	#!/usr/bin/env bash
	# usage: get_image <component_path>
	IMAGE=`etcdctl get $1/image 2>/dev/null`

	# if no image was set in etcd, we use the default plus the release string
	if [ $? -ne 0 ]; then
	RELEASE=`etcdctl get /deis/platform/version 2>/dev/null`

	# if no release was set in etcd, use the default provisioned with the server
	if [ $? -ne 0 ]; then
	source /etc/deis-release
	RELEASE=$DEIS_RELEASE
	fi

	IMAGE=$1:$RELEASE
	fi

	# remove leading slash
	echo ${IMAGE#/}
	- path: /run/deis/bin/preseed
	permissions: '0755'
	content: \|
	#!/usr/bin/env bash

	COMPONENTS=(builder controller database logger logspout publisher registry router store-daemon store-gateway store-metadata store-monitor)
	for c in "${COMPONENTS[@]}"; do
	image=`/run/deis/bin/get_image /deis/$c`
	docker history $image >/dev/null 2>&1 \|\| docker pull $image
	done
	- path: /opt/bin/deis-debug-logs
	permissions: '0755'
	content: \|
	#!/usr/bin/env bash

	echo '--- VERSIONS ---'
	source /etc/os-release
	echo $PRETTY_NAME
	source /etc/deis-release
	echo "Deis $DEIS_RELEASE"
	etcd2 -version \| head -n1
	fleet -version
	printf "\n"

	echo '--- SYSTEM STATUS ---'
	journalctl -n 50 -u etcd --no-pager
	journalctl -n 50 -u fleet --no-pager
	printf "\n"

	echo '--- DEIS STATUS ---'
	deisctl list
	etcdctl ls --recursive /deis
	printf "\n"
	- path: /home/core/.toolboxrc
	owner: core
	content: \|
	TOOLBOX_DOCKER_IMAGE=alpine
	TOOLBOX_DOCKER_TAG=3.1
	TOOLBOX_USER=root
	- path: /etc/environment_proxy
	owner: core
	content: \|
	HTTP_PROXY=
	HTTPS_PROXY=
	ALL_PROXY=
	NO_PROXY=
	http_proxy=
	https_proxy=
	all_proxy=
	no_proxy=
	- path: /etc/systemd/coredump.conf
	content: \|
	[Coredump]
	Storage=none
	- path: /opt/bin/graceful-shutdown.sh
	permissions: '0755'
	content: \|
	#!/usr/bin/bash
	if [ "$1" != '--really' ]; then
	echo "command must be run as: $0 --really"
	exit 1
	fi
	# procedure requires the store-admin
	ADMIN_RUNNING=$(docker inspect --format="{{ .State.Running }}" deis-store-admin)
	if [ $? -eq 1 ] \|\| [ "$ADMIN_RUNNING" == "false" ]; then
	echo "deis-store-admin container is required for graceful shutdown"
	exit 2
	fi
	set -e -x -o pipefail
	# determine osd id
	CURRENT_STATUS=$(docker exec deis-store-admin ceph health \| awk '{print $1}')
	OSD_HOSTS=($(etcdctl ls /deis/store/hosts/\| awk -F'/' '{print $5}'))
	for HOST in "${OSD_HOSTS[@]}"
	do
	PUBLIC_IP=$(fleetctl list-machines -fields="machine,ip" -full -no-legend\| grep `cat /etc/machine-id` \| awk '{print $2}')
	if [ "$HOST" = "$PUBLIC_IP" ] ; then
	OSD_ID=$(etcdctl get /deis/store/osds/$PUBLIC_IP)
	break
	fi
	done
	# if we own an osd and its healthy, try to gracefully remove it
	if [ ! -z "$OSD_ID" ] && [[ "$CURRENT_STATUS" == "HEALTH_OK" ]] && [ ${#OSD_HOSTS[@]} -gt "3" ]; then
	docker exec deis-store-admin ceph osd out $OSD_ID
	sleep 30
	TIMEWAITED=0
	until [[ $(docker exec deis-store-admin ceph health) == "HEALTH_OK" ]]
	do
	if [ $TIMEWAITED -gt "1200" ]
	then
	echo "ceph graceful removal timeout exceeded"
	break
	fi
	echo "waiting" && sleep 5
	TIMEWAITED=$((TIMEWAITED+5))
	done
	docker stop deis-store-daemon
	docker exec deis-store-admin ceph osd crush remove osd.$OSD_ID
	docker exec deis-store-admin ceph auth del osd.$OSD_ID
	docker exec deis-store-admin ceph osd rm $OSD_ID
	etcdctl rm /deis/store/osds/$PUBLIC_IP
	etcdctl rm /deis/store/hosts/$PUBLIC_IP && sleep 10
	# remove ceph mon
	docker stop deis-store-monitor \|\| true
	docker exec deis-store-admin ceph mon remove `hostname -f` # fixme
	docker stop deis-store-metadata \|\| true
	fi

	# removing the node from etcd
	NODE=$(etcdctl member list \| grep `cat /etc/machine-id` \| cut -d ':' -f 1)
	etcdctl member remove $NODE
	- path: /opt/bin/wupiao
	permissions: '0755'
	content: \|
	#!/usr/bin/env bash
	# [w]ait [u]ntil [p]ort [i]s [a]ctually [o]pen
	[ -n "$1" ] && \
	until curl -o /dev/null -sIf http://${1}; do \
	sleep 1 && echo .;
	done;
	exit $?
	- path: /opt/bin/download-k8s-binary
	permissions: '0755'
	content: \|
	#!/usr/bin/env bash
	export K8S_VERSION="v1.0.1"
	mkdir -p /opt/bin
	FILE=$1
	if [ ! -f /opt/bin/$FILE ]; then
	curl -sSL -o /opt/bin/$FILE https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/$FILE
	chmod +x /opt/bin/$FILE
	else
	# we check the version of the binary
	INSTALLED_VERSION=$(/opt/bin/$FILE --version)
	MATCH=$(echo "${INSTALLED_VERSION}" \| grep -c "${K8S_VERSION}")
	if [ $MATCH -eq 0 ]; then
	# the version is different
	curl -sSL -o /opt/bin/$FILE https://storage.googleapis.com/kubernetes-release/release/${K8S_VERSION}/bin/linux/amd64/$FILE
	chmod +x /opt/bin/$FILE
	fi
	fi
	- path: /opt/bin/scheduler-policy.json
	content: \|
	{
	"kind": "Policy",
	"apiVersion": "v1",
	"predicates": [{"name": "PodFitsPorts"},{"name": "PodFitsResources"},{"name": "NoDiskConflict"},{"name": "MatchNodeSelector"},{"name": "HostName"}],
	"priorities": [{"name": "LeastRequestedPriority","weight": 1},{"name": "BalancedResourceAllocation","weight": 1},{"name": "ServiceSpreadingPriority","weight": 2},{"name": "EqualPriority","weight": 1}]
	}